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A COMPACT CRYPTO -ENGINE FOR RANDOM NUMBER AND STREAM 
CIPHER GENERATION 

Background of the Invention 

1. Field of the Invention 

The invention relates to a Crypto -engine for 
authentication and information data scrambling. 

10 

2. Description of Prior Art 

The security of many cryptographic systems depends upon 
the generation of unpredictable quantities that must be 

is of sufficient size and random. Linear feedback shift 

registers (LFSRs) , due to their simplicity and 
efficiency of implementation/ are the basic building 
blocks in most popular used stream cipher generators. 
However, some attractive properties associated with 

20 LFSRs give rise to the failure of many of these 

constructions to meet a good cryptographic strength. In 
particular/ the inherent linearity of LFSRs and the 
algebraic structure are frequently the basis for 
breaking these cryptographic systems. The generating 

2S polynomial can easily be derived and the initial states 

that generate a specific sequence will produce a number 
of predictable sequences. To avoid this linearity 
problem, a nonlinear filtering function, whose inputs 
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are taken from some shift register stages to produce an 
output, is used to destroy the linearity and algebraic 
structure of the original sequence. The non-linear 
filter in the form of nonlinear combination generator 
5 is essential to make the outcomes more secure. However, 

most of these filters are designed based on a nonlinear 
combining function f of the outputs of several LFSRs in 
parallel . The nonlinear function £ employed is a fixed 
function. Therefore, the mapping defined by the 

10 nonlinear function f is a one-to-one mapping, and for 

the same input imposed on f, the same output will be 
obtained. Such a generator suffers a divide -and -conquer 
attack if a correlation exists between the keystream 
and the output sequences of individual sub-generators. 

is One solution could be to ' use the Data Encryption 

Standard (DES) to randomize the output but this is not 
economical as a substantial amount of hardware is 
required. Generally stated, problems arise because the 
stream ciphers or random number generators based on 

20 LFSRs are cryptographically unsafe and a substantial 

amount of hardware has to be used to make it safe. 

Summary of the Invention 

25 Xt is an object of the invention to overcome or at least 

reduce the above problems . 

According to the invention there is provided a compact 
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dual function Random Number Generator (RNG) and Stream 
Cipher Generator (SCG) including a Crypto -engine and a 
controller for controlling the Crypto -engine to operate 
either as a RNG or a SCG, three multiplexers controlled 
5 by the controller to supply signals selectively to and 
receive signals from the Crypto -engine, in which a first 
multiplexer is arranged to receive RNG seed signals or 
SCG key signals, a second multiplexer is arranged to 
receive dynamic synchronization parameter signals or 
10 constant synchronization signals , and a third 

multiplexer is arranged to receive signals from the 
Crypto -engine and provide Random Number output signals 
or Stream Cipher output signals, respectively in each 
case. 

An XOR gate may be provided and arranged to receive the 
Stream Cipher output signals from the third multiplexer 
and separate Stream Cipher signals in plaintext or 
ciphertext, such that the output of the XOR gate is in 
20 ciphertext or plaintext, respectively. 

A plurality of clipped Hopfield Neural Network pairs 
may be provided in the dual function Generator. 



25 



A Seed/Key input; a Synchronisation Parameter Input; a 
Seed/Key Randomizer and a Non-Linear Manipulator may be 
included , 
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The clipped Hopfield Neural Network pairs may have an 
Input CHNN (ICHNN) that provides a nonlinear interaction 
with a dynamic/ constant Synchronization Parameter input 
and an output CHNN (OCHNN) then provides nonlinear 
5 interaction with an adjacent ICHNN output. 

The clipped Hopfield Neural Network may include one of a 
single iterating CHNN pair and a k pipeline CHNN pair, a 
Decision Box (DEC) and an Attractor Mapping Table (AMT) . 

10 

The clipped Hopfield Neural Network may include neurons 
in two states (Q,l}; Synaptic Weights in three states {- 
1,0,1}; and a non-linear Activation Function {O.l}. 

is An input to a n-neuron clipped Hopfield Neural Network 

may be arranged to converge to one of the 2n+l stable 
states or attractors of the network after finite steps 
of iterations k, 

20 The clipped Hopfield Neural Network may be constructed 

using cascaded lookup Tables if n is small „ The Lookup 
Tables may be associated with an initial Synaptic Weight 
Matrix and a random selected Permutated Synaptic Weight 
Matrix. 

The compact dual function may include a "toggle* feature 
in some selected bit sequence combination to avoid 
statistical bias and possible correlation attack. 
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Brief Description of the Drawings 

A Compact dual function Crypto-engine for Random Number 
s and Stream Cipher Generation will now be described by 

way of example with reference to the accompanying 
drawing in which; 

Figure 1 is a block diagram of the Compact dual 
10 function Random Number Generator and Stream Cipher 

Generator; 

Figure 2 illustrates the structure of the Crypto- 
engine ; 

IS 

Figure 3 is a block diagram of a Clipped Hopfield 
Neural Network ; 

Figure 4 is table 1 which illustrates the initial 
20 convergent domains for the Clipped Hopfield Neural 

Network with 8 Neurons ; 

Figure 5 is table 2 which illustrates the permuted 
convergent domains for the Clipped Hopfield Neural 
25 Network with 8 Neurons; 

Figure 6 is table 3 which illustrates the statistical 
test results satisfying FIPS 140-2 using a constant 
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synchronization input in MUX2 and 

Figure 7 is table 4 which illustrates the statistical 
test results satisfying F1PS 140-2 using a dynamic 
5 synchronization input in MUX2; 

Description of the Preferred Embodiments 

10 Embodiment of the present invention provide a dual 

function Compact Crypto-engine that is capable of 
generating any length of random sequence when the 
Crypto-engine is configured or used in the form of a 
Random Number Generator (RNG) , and enables any length 

is of data to be encrypted when the Crypto-engine is 

configured or used in the form of Stream Cipher 
Generator (SCG) . Previously, a same Crypto-engine 
(known per se) was incapable of being configured or 
used in both forms, 

20 

Referring to the drawings, in Figure 1 the block 
diagram represents the basic structure, A Controller 
10 is used to control the operation of the Crypto - 
engine 11 whether it is used in the form of a RNG or a 
25 SCG. A multiplexer MUX1 12 selects the tt seed" for the 

RNG or the "key" for the SCG respectively as the 
initial input to the Crypto-engine. A multiplexer MUX2 
13 selects two external inputs t dynamic or constant 
synchronisation parameters, The dynamic parameter can 
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be a variable address location or a changing real time 
clock. The constant synchronization parameter can be an 
additional key or any fixed parameter- A multiplexer 
MUX3 14 selects whether the output from the Crypto - 
s engine is from the RNG or the SCG- The output from the 

RNG can be fed back to the input and becomes the new 
"seed" for the next random number state. The output 
from the SCG can be the ciphertiext after encryption, or 
the plaintext after decryption using an XOR gate 15, 

10 

Figure 2 shows a fundamental building block of the 
Crypto -engine. The upper part of the Figure comprises 
clipped Hopfield Neural Networks, 

is A secret and random seed/key is first divided into m 

sub -seed/ sub-key, where m is referred to the number of 
CHNNs cascaded in parallel. The CKNNs, each with n 
neurons, are used. Figure 3 shows the schematic 
structure of the CHNN with n neurons. The boxes labeled 

20 z" 1 represent unit delays* Bach neuron is in one of the 

two states {o, l}. Pairs of neurons i and j in the 
network are connected by a Synaptic Weight w^. 



As shown in FIG. 3, the output of each neuron in the 
25 CHNN is fed back to all other neurons including itself. 

For the CHNN in the described embodiment, the actions 
between two neurons can be excitatory (i.e. Wij = 1) , 
inhibitory (i,e. wij - -1> or not directly connected 
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(i,e, w±j = 0). The Synaptic Weight Matrix of the CHNN 
is clipped to three values {0, 1, -l}- 

The CHNN with n neurons takes n bits input x and n bits 
output y, according to the following equation: 



U = 0 J 



for / = 0,1 (1) 



where f is a non-linear function in the form of a Sign 
io Function, i.e. jf(<r) = 1 when <x > 0 and f (&) = o when a 

< 0. 

The input to the CHNN will converge to one of the 
stable states or the attractors of the network after 

is finite steps of iterations k> For a CHNN with n 

neurons, most of the inputs to the network will 
converge to one of the 2n+l stable states after 
approximately Jfc steps of iterations. For n = 8, there 
will be 17 stable states and the iteration is 2, i,e. 

20 after passing through 2 consecutive CHNNs the stable 

state is reached. 

The crypto -engine (Figure 2) consists of a Seed/ Key 
Randomizer and a Non-Linear Manipulator. In the Seed/ 
25 Key Randomizer, each sub-seed/sub-key with n bits 

firstly pass through a CHNN layer with n neurons. 



8, Apr, 2001 16:49 MARKS & CLERK, HK No, 2109 P. 11/25 



The circuit is based on a standard Kopfield Neural 
network that is * clipped' as described below- A 
* clipped' Hopfield Neural Network has already been 
S proposed for use in other cryptographic systems but not 

applied in support of a dual function Crypto-engine as 
provided in embodiments of the present invention. The 
outputs from CHNNi_i to CHNNl__jm are XORed with the 
synchronization input. These outputs, from OUTl^l to 

io QUTl_n3, become the input of CHNN2_1 to CHNN2_m 

respectively. By further XOR operations, OUT2_l to 
GUT2_m are generated and will be passed into the Non- 
Linear Manipulator (NLM) . The NLM is constructed using 
a K consecutive CHNN or a single CHNN iterated k times 

is to reach a stable state. 

The CHNN may be constructed in another way using a 
lookup table if n is small, say 16. By performing a 
random selected n x n Permutation Matrix on the 

20 Synaptic Weight Matrix, a different attractor and input 

pair will result. Table 1 and Table 2 (Figures 4 and 5) 
show the convergence domain of the attractors with two 
different Synaptic Weight Matrix in CHNNs with 8 
neurons. From the tables , the Crypto-engine has 

zs generated an irregular relationship between the inputs 

to the CHNN and the output attractors. 

Block DEC (in Figure 2) is a decision box to select 
whether the Crypto-engine is operated as a RNG or a 
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SGG. For a RNG, a further XOR function is required and 
the final random sequence output is fed back to become 
the new seed for the next random number state. For a 
SCG, an At tract or Mapping Table (AHT) is used to map n 
5 bits of the attractors into 1 bits sequences, where 1 < 

n. The outputs from each AMT are combined together to 
form a keystream which is XORed with the 
plaintext/ciphertext to form the encrypted/decrypted 
data, respectively* 

10 

To avoid statistical bias and possible correlation 
attack, some selected bit sequence combination can be 
designed to have a ^toggle" feature, i.e. the same 
sequence appears consecutively with a complimentary 
15 output . 

With the use of the Permutation Matrix to generate 
different Synaptic Weight Matrix, a different keystream 
can be obtained even though the same "key" and 

20 "eynchroni nation input" are used. Moreover, with the 

nonlinear dynamic property of the CHNN, the following 
properties will occur under different keystreams: 
different ciphertext may be generated from the same 
plaintext; same ciphertext may be generated from 

2& different plaintext; or different plaintext may give 

rise to different ciphertext. Thus, the scheme is safe- 
guarded against crypt analyst f s ciphertext only attack. 
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Moreover, neither a chosen plaintext attack nor a known 
plaintext attack can guess the secret "keys'' . 

The random number generated from the RNG and the 
5 keystream generated from the SCG satisfy some degree of 

randomness to ensure that it can be used in a 
cryptographic process. The statistical tests as 
specified in PIPS 140-2 for randomness tests have been 
considered. These statistical tests are commonly used 
^ 10 for determining whether the binary sequence possesses 

VI some specific characteristics that a truly random 

y sequence would be likely to exhibit. The following 

fS properties of the bit stream are satisfied; 

" r "" distribution of single bit (monobit test) , the number 

S=J is of occurrences of each of the 16 possible 4-bit 

\& combinations (poker test) , the consecutive occurrence 

of l's or O's (runs test) , and the maximum consecutive 
r ~ occurrence (long run test) . Failure of a single bit 

stream of 20,000 consecutive bits subjected to each of 
20 the above tests would indicate higher possibilities of 

being statistically attacked. 

Table 3 (in Figure 6) are the test results for the 
random number generated (RNG) using a constant 
25 synchronization input. 

Table 4 (in Figure 7) are the test results for the 
keystream generated (SCG) using a dynamic 
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synchronization input. Both results show that the 
sequence has a good statistical property and satisfies 
all of the tests. The output value ^> ut remained within 
acceptable limits for the sequences, generated with 
5 different seeds/keys and different Synaptic Weight 

Matrices . 

In embodiments of the present invention, both random 
number generation and stream cipher encryption can be 
p io implemented using the same software or hardware module. 

If! This results in a considerable saving in hardware 

Xa components/ memory space and design time. This is 

li especially important in providing applications in 

I*' markets with constrained resources 7 such as use with 

O 15 smart cards. Embodiments of the invention are entirely 

H suitable for constrained silicon implementation, such 

■j;* as smart card key generation and data scrambling, and a 

H large re-configurable Random Number Generator and 

Stream Cipher Generator. 

20 

Embodiments of the invention can be implemented in a 
parallel cascaded architecture. The structures require 
simple Exclusive Or and Logic functions. This allows 
fast and efficient implementation o£ the dual function 
2s Crypto -engine using either software or hardware 

techniques. With the use of a synchronization input, 
the matching of computational output results are 
retained and are as good as external located devices of 
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